The ACL model is unable to make correct access decisions for interactions
involving more than two principals, since required information is not retained
across message sends. Though this deficiency has long been documented in the
published literature, it is not widely understood. This logic error in the ACL
model is exploited by both the clickjacking and Cross-Site Request Forgery
attacks that affect many Web applications.